29. Privacy by Design. —

(a) managerial, organisational, business practices and technical systems
are designed in a manner to anticipate, identify and avoid harm to the
data principal;

(b) the obligations mentioned in Chapter II are embedded in
organisational and business practices;

(c) technology used in the processing of personal data is in accordance
with commercially accepted or certified standards;

(d) legitimate interests of businesses including any innovation is
achieved without compromising privacy interests;

(e) privacy is protected throughout processing from the point of
collection to deletion of personal data;

(f) processing of personal data is carried out in a transparent manner;
and

(g) the interest of the data principal is accounted for at every stage
of processing of personal data.

30. Transparency. —

(1) The data fiduciary shall take reasonable steps to maintain
transparency regarding its general practices related to processing
personal data and shall make the following information available in an
easily accessible form as may be specified—

(a) the categories of personal data generally collected and the manner
of such collection;

(b) the purposes for which personal data is generally processed;

(c) any categories of personal data processed in exceptional situations
or any exceptional purposes of processing that create a risk of
significant harm;

(d) the existence of and procedure for the exercise of data principal
rights mentioned in
Chapter VI, and any related contact details for the same;

(e) the
existence of a right to file complaints to the Authority;

(f) where applicable, any rating in the form of a data trust score that
may be accorded to the data fiduciary under section 35;

(2) The data fiduciary shall notify the data principal of important
operations in the processing of personal data related to the data
principal through periodic notifications in such manner as may be
specified.

31. Security Safeguards.—

(1) Having regard to the nature, scope and purpose of processing
personal data undertaken, the risks associated with such processing, and
the likelihood and severity of the harm that may result from such
processing, the data fiduciary and the data processor shall implement
appropriate security safeguards including—

(2) Every data fiduciary and data processor shall undertake a review of
its security safeguards periodically as may be specified and may take
appropriate measures accordingly.

32. Personal Data Breach.—

(1) The data fiduciary shall notify the Authority of any personal data
breach relating to any personal data processed by the data
fiduciary where such breach is likely to cause harm to any data principal.

(2) The notification referred to in sub-section (1) shall include the
following particulars—

(a) nature of personal data which is the subject matter of the breach;

(b) number of data principals affected by the breach;

(c) possible consequences of the breach; and

(d) measures being taken by the data fiduciary to remedy the breach.

(3) The notification referred to in sub-section (1) shall be made by the
data fiduciary to the Authority as soon as possible and not later than
the time period specified by the Authority, following the breach after
accounting for any time that may be required to adopt any urgent
measures to remedy the breach or mitigate any immediate harm.

(4) Where it is not possible to provide all the information as set out
in sub-section (2) at the same time, the data fiduciary shall provide
such information to the Authority in phases without undue delay.

(5) Upon receipt of notification, the Authority shall determine whether
such breach should be reported by the data fiduciary to the data
principal, taking into account the severity of the harm that may be
caused to such data principal or whether some action is required on the
part of the data principal to mitigate such harm.

(6) The Authority, may in addition to requiring the data fiduciary to
report the personal data breach to the data principal under sub-section
(5), direct the data fiduciary to take appropriate remedial action as
soon as possible and to conspicuously post the details of the personal
data breach on its website.

(7) The Authority may, in addition, also post the details of the
personal data breach on its own website.

33. Data Protection Impact Assessment. —

(1) Where the data fiduciary intends to undertake any processing
involving new technologies or large scale profiling or use of sensitive
personal data such as genetic data or biometric data, or any other
processing which carries a risk of significant harm to data principals,
such processing shall not be commenced unless the data fiduciary has
undertaken a data protection impact assessment in accordance with the
provisions of this section.

(2) The Authority may, in addition, specify those circumstances, or
classes of data fiduciaries, or processing operations where such data
protection impact assessment shall be mandatory, and may also specify
those instances where a data auditor under this Act shall be engaged by
the data fiduciary to undertake a data protection impact assessment.

(3) A data protection impact assessment shall contain, at a minimum—

(a) detailed description of the proposed processing operation, the
purpose of processing and the nature of personal data being processed;

(b) assessment of the potential harm that may be caused to the data
principals whose personal data is proposed to be processed; and

(c) measures for managing, minimising, mitigating or removing such risk
of harm.

(4)Upon completion of the data protection impact assessment, the data
protection officer shall review the assessment prepared and shall submit
the same to the Authority in such manner as may be specified.

(5) On receipt of the assessment, if the Authority has reason to believe
that the processing is likely to cause harm to the data principals, the
Authority may direct the data fiduciary to cease such processing or
direct that such processing shall be subject to such conditions as may
be issued by the Authority.

(a) important operations in the data life-cycle including collection,
transfers, and erasure of personal data to demonstrate compliance
as required under section 11;

(b) periodic review of security safeguards under section 31;

(c) data protection impact assessments under section 33; and

(d) any other aspect of processing as may be specified by the Authority.

(2) The records in sub-section (1) shall be maintained in such form as
specified by the
Authority.

(3) Notwithstanding anything contained in this Act, this section shall
apply to the Central or State Government, departments of the Central and
State Government, and any agency instrumentality or authority which is
“the State” under Article 12 of the Constitution.

35. Data Audits. —

(1) The data fiduciary shall have its policies and the conduct of its
processing of personal data audited annually by an independent data
auditor under this Act.

(2) The data auditor will evaluate the compliance of the data fiduciary
with the provisions of this Act, including—

(a) clarity and effectiveness of notices under section 8;

(b)
effectiveness of measures adopted under section 29;

(c) transparency in relation to processing activities under section 30;

(d) security safeguards adopted pursuant to section 31;

(e) instances of personal data breach and response of the data
fiduciary, including the promptness of notification to the Authority
under section 32; and

(f) any other matter as may be specified.

(3) The Authority shall specify the form, manner and procedure for
conducting audits under this section including any civil penalties on
data auditors for negligence.

(4) The Authority shall register persons with expertise in the area of
information technology, computer systems, data science, data protection
or privacy, with such qualifications, experience and eligibility having
regard to factors such as independence, integrity and ability, as it may
specify, as data auditors under this Act.

(5) A data auditor may assign a rating in the form of a data trust score
to the data fiduciary pursuant to a data audit conducted under this
section.

(6) The Authority shall specify the criteria for assigning a rating in
the form of a data trust score having regard to the factors mentioned in
sub-section (2).

(7) Notwithstanding sub-section (1) where the Authority is of the view
that the data fiduciary is processing personal data in a manner that is
likely to cause harm to a data principal, the Authority may order the
data fiduciary to conduct an audit and shall appoint a data auditor for
that purpose.

36. Data Protection Officer. —

(1) The data fiduciary shall appoint a data protection officer for
carrying out the following functions—

(a) providing information and advice to the data fiduciary on matters
relating to fulfilling its obligations under this Act;

(b) monitoring personal data processing activities of the data fiduciary
to ensure that such processing does not violate the provisions of this
Act;

(c) providing advice to the data fiduciary where required on the manner
in which data protection impact assessments must be carried out, and
carry out the review of such assessment as under sub-section (4) of
section 33;

(d) providing advice to the data fiduciary, where required on the manner
in which internal mechanisms may be developed in order to satisfy the
principles set out under section 29;

(e) providing assistance to and cooperating with the Authority on
matters of compliance of the data fiduciary with provisions under this
Act;

(f) act as the point of contact for the data principal for the purpose
of raising grievances to the data fiduciary pursuant to section 39 of
this Act; and

(g) maintaining an inventory of all records maintained by the data
fiduciary pursuant to section 34.

(2) Nothing shall prevent the data fiduciary from assigning any other
function to the data protection officer, which it may consider
necessary, in addition to the functions provided in sub-section (1)
above.

(3) The data protection officer shall meet the eligibility and
qualification requirements to carry out its functions under sub-section
(1) as may be specified.

(4) Where any data fiduciary not present within the territory of India
carries on processing to which the Act applies under section 2(2), and
the data fiduciary is required to appoint a data protection officer
under this Act, the data fiduciary shall appoint such officer who shall
be based in India and shall represent the data fiduciary in compliance of
obligations under this Act.

37. Processing by entities other than data fiduciaries. —

(1) The data fiduciary shall only engage, appoint, use or involve a data
processor to process personal data on its behalf through a valid contract.

(2) The data processor referred to in sub-section (1) shall not further
engage, appoint, use, or involve another data processor in the relevant
processing on its behalf except with the authorisation of the data
fiduciary, unless permitted through the contract referred to in
sub-section (1).

(3) The data processor, and any employee of the data fiduciary or the
data processor, shall only process personal data in accordance with the
instructions of the data fiduciary unless they are required to do
otherwise under law and shall treat any personal data that comes within
their knowledge as confidential.

(1) The Authority shall, having regard to the following factors, notify
certain data fiduciaries or classes of data fiduciaries as significant
data fiduciaries—

(a) volume of personal data processed;

(b) sensitivity of personal data processed;

(c) turnover of the data
fiduciary;

(d) risk of harm resulting from any processing or any kind of processing
undertaken by the fiduciary;

(e) use of new technologies for processing; and

(f) any other factor relevant in causing harm to any data principal as a
consequence of such processing.

(2) The notification of a data fiduciary or classes of data fiduciaries
as significant data fiduciaries by the Authority under sub-section (1)
shall require such data fiduciary or class of data fiduciaries to
register with the Authority in such manner as may be specified.

(3) All or any of the following obligations in this Chapter, as
determined by the Authority, shall apply only to significant data
fiduciaries—

(a) data protection impact assessments under section 33;

(b)
record-keeping under section 34;

(c) data audits under section 35; and

(d) data protection officer under section 36.

(4) Notwithstanding sub-section (3), the Authority may notify the
application of all or any of the obligations in sub-section (3) to such
data fiduciary or class of data fiduciaries, not being a significant
data fiduciary, if it is of the view that any processing activity
undertaken by such data fiduciary or class of data fiduciaries carries a
risk of significant harm to data principals.

39. Grievance Redressal. —

(1) Every data fiduciary shall have in place proper procedures and
effective mechanisms to address grievances of data principals
efficiently and in a speedy manner.

(2) A data principal may raise a grievance in case of a violation of any
of the provisions of this Act, or rules prescribed, or regulations
specified thereunder, which has caused or is likely to cause harm to
such data principal, to—

(a) the data protection officer, in case of a significant data
fiduciary; or

(b) an officer designated for this purpose, in case of any other data
fiduciary.

(3) A grievance raised under sub-section (2) shall be resolved by the
data fiduciary in an expeditious manner and no later than thirty days
from the date of receipt of grievance by such data fiduciary.

(4) Where, a grievance under sub-section (2) is not resolved within the
time period mentioned under sub-section (3), or where the data principal
is not satisfied with the manner in which the grievance is resolved, or
the data fiduciary has rejected the grievance raised, the data principal
shall have the right to file a complaint with the adjudication wing
under section 68 of the Act in the manner prescribed.

(5) Any person aggrieved by an order made under this section by an
Adjudicating Officer in accordance with the procedure prescribed in this
regard, may prefer an appeal to the Appellate Tribunal.